NERC CIP-013 Supply Chain Risk Management: The Vendor Assessment Program That Passes Audits

Oct 2020

NERC CIP-013-1 enforcement date â€” supply chain risk management now auditable

NERC CIP-013-1 became enforceable in October 2020 and requires responsible entities to develop and implement a supply chain cyber security risk management plan for industrial control system hardware, software, and services. The plan must address vendor identification, vendor risk assessment, and controls for vendor remote access under CIP-005-6 R2. Software integrity and authenticity requirements under CIP-010-3 R1.6 add a code-signing and hash-verification obligation to every software procurement event. The audit deficiency pattern Regional Entities encounter most: utilities have a plan document but cannot produce evidence that the procurement process was modified to execute it.

Full article content coming soon.

Compliance Engineering

The engineering behind this article is available as a service.

We have done this work — not advised on it, not reviewed documentation about it. If the problem in this article is your problem, the first call is with a senior engineer who has solved it.

Talk to an Engineer See Case Studies →

NERC CIP-013 Supply Chain Risk Management: The Vendor Assessment Program That Passes Audits

EU AI Act: What CTOs Actually Need to Do Before August 2026

DORA Is Live. Here's What 'Operational Resilience' Means for Your Codebase

FedRAMP Rev 5: What Changed and Why Most Current ATO Holders Are Already Non-Compliant

The engineering behind this article is available as a service.